4.3
CVSSv2

CVE-2013-1620

Published: 08/02/2013 Updated: 09/10/2018
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote malicious users to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Vendor Advisories

Synopsis Moderate: rhev-hypervisor6 security and bug fix update Type/Severity Security Advisory: Moderate Topic An updated rhev-hypervisor6 package that fixes three security issues andvarious bugs is now availableThe Red Hat Security Response Team has rated this update as having moderatesecurity impact Co ...
Debian Bug report logs - #699888 TLS timing attack in nss (Lucky 13) Package: nss; Maintainer for nss is Maintainers of Mozilla-related packages <team+pkg-mozilla@trackerdebianorg>; Reported by: Thijs Kinkhorst <thijs@debianorg> Date: Wed, 6 Feb 2013 10:54:02 UTC Severity: serious Tags: security Fixed in version ...
NSS could be made to expose sensitive information over the network ...
It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle (CVE-2013-1620 ) An out-of-bounds memory read ...
It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle (CVE-2013-1620 ) An out-of-bounds memory read ...
VMware ESX 41 without patch ESX410-201312001 ...
A flaw was found in the way NSS handled invalid handshake packets A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2013-5605 ) It was found that the fix for CVE-2013-1620 introduced a regression causing NSS to read ...
A flaw was found in the way NSS handled invalid handshake packets A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2013-5605 ) It was found that the fix for CVE-2013-1620 introduced a regression causing NSS to read ...
<!-- content goes here --> Oracle Critical Patch Update Advisory - January 2015 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisor ...